| blob | c451ef5c59ce25e237b5b6663c0627a0113618cb |
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* Some of the stuff needed for Certificate authentication is contained
24 * in this file.
25 */
27 #include <gnutls_int.h>
28 #include <gnutls_errors.h>
29 #include <auth/cert.h>
30 #include <gnutls_datum.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_global.h>
33 #include <algorithms.h>
34 #include <gnutls_dh.h>
35 #include <gnutls_str.h>
36 #include <gnutls_state.h>
37 #include <gnutls_auth.h>
38 #include <gnutls_x509.h>
39 #include <gnutls_str_array.h>
41 #ifdef ENABLE_OPENPGP
43 #endif
45 #define _(String) dgettext (PACKAGE, String)
47 /**
48 * gnutls_certificate_free_keys:
49 * @sc: is a #gnutls_certificate_credentials_t structure.
50 *
51 * This function will delete all the keys and the certificates associated
52 * with the given credentials. This function must not be called when a
53 * TLS negotiation that uses the credentials is in progress.
54 *
55 **/
56 void
58 {
62 {
64 {
66 }
69 }
75 {
77 }
83 }
85 /**
86 * gnutls_certificate_free_cas:
87 * @sc: is a #gnutls_certificate_credentials_t structure.
88 *
89 * This function will delete all the CAs associated with the given
90 * credentials. Servers that do not use
91 * gnutls_certificate_verify_peers2() may call this to save some
92 * memory.
93 **/
94 void
96 {
97 /* FIXME: do nothing for now */
99 }
101 /**
102 * gnutls_certificate_get_issuer:
103 * @sc: is a #gnutls_certificate_credentials_t structure.
104 * @cert: is the certificate to find issuer for
105 * @issuer: Will hold the issuer if any. Should be treated as constant.
106 * @flags: Use zero.
107 *
108 * This function will return the issuer of a given certificate.
109 *
110 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
111 * negative error value.
112 *
113 * Since: 3.0
114 **/
115 int
118 {
120 }
122 /**
123 * gnutls_certificate_free_ca_names:
124 * @sc: is a #gnutls_certificate_credentials_t structure.
125 *
126 * This function will delete all the CA name in the given
127 * credentials. Clients may call this to save some memory since in
128 * client side the CA names are not used. Servers might want to use
129 * this function if a large list of trusted CAs is present and
130 * sending the names of it would just consume bandwidth without providing
131 * information to client.
132 *
133 * CA names are used by servers to advertise the CAs they support to
134 * clients.
135 **/
136 void
138 {
140 }
142 /*-
143 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
144 * @rsa_params: holds the RSA parameters or NULL.
145 * @func: function to retrieve the parameters or NULL.
146 * @session: The session.
147 *
148 * This function will return the rsa parameters pointer.
149 -*/
150 gnutls_rsa_params_t
153 gnutls_session_t session)
154 {
155 gnutls_params_st params;
159 {
161 }
164 {
166 }
168 {
171 {
174 }
175 }
178 }
181 /**
182 * gnutls_certificate_free_credentials:
183 * @sc: is a #gnutls_certificate_credentials_t structure.
184 *
185 * This structure is complex enough to manipulate directly thus this
186 * helper function is provided in order to free (deallocate) it.
187 *
188 * This function does not free any temporary parameters associated
189 * with this structure (ie RSA and DH parameters are not freed by this
190 * function).
191 **/
192 void
194 {
200 #ifdef ENABLE_OPENPGP
202 #endif
205 }
208 /**
209 * gnutls_certificate_allocate_credentials:
210 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
211 *
212 * This structure is complex enough to manipulate directly thus this
213 * helper function is provided in order to allocate it.
214 *
215 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
216 **/
217 int
219 res)
220 {
230 {
234 }
239 }
242 /* returns the KX algorithms that are supported by a
243 * certificate. (Eg a certificate with RSA params, supports
244 * GNUTLS_KX_RSA algorithm).
245 * This function also uses the KeyUsage field of the certificate
246 * extensions in order to disable unneded algorithms.
247 */
248 int
252 {
253 gnutls_kx_algorithm_t kx;
259 {
262 }
269 {
272 {
273 /* then check key usage */
275 {
277 i++;
281 }
282 }
283 }
286 {
289 }
294 }
297 /**
298 * gnutls_certificate_server_set_request:
299 * @session: is a #gnutls_session_t structure.
300 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
301 *
302 * This function specifies if we (in case of a server) are going to
303 * send a certificate request message to the client. If @req is
304 * GNUTLS_CERT_REQUIRE then the server will return an error if the
305 * peer does not provide a certificate. If you do not call this
306 * function then the client will not be asked to send a certificate.
307 **/
308 void
310 gnutls_certificate_request_t req)
311 {
313 }
315 /**
316 * gnutls_certificate_client_set_retrieve_function:
317 * @cred: is a #gnutls_certificate_credentials_t structure.
318 * @func: is the callback function
319 *
320 * This function sets a callback to be called in order to retrieve the
321 * certificate to be used in the handshake.
322 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
323 * is much more efficient in the processing it requires from gnutls.
324 *
325 * The callback's function prototype is:
326 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
327 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
328 *
329 * @req_ca_cert is only used in X.509 certificates.
330 * Contains a list with the CA names that the server considers trusted.
331 * Normally we should send a certificate that is signed
332 * by one of these CAs. These names are DER encoded. To get a more
333 * meaningful value use the function gnutls_x509_rdn_get().
334 *
335 * @pk_algos contains a list with server's acceptable signature algorithms.
336 * The certificate returned should support the server's given algorithms.
337 *
338 * @st should contain the certificates and private keys.
339 *
340 * If the callback function is provided then gnutls will call it, in the
341 * handshake, if a certificate is requested by the server (and after the
342 * certificate request message has been received).
343 *
344 * The callback function should set the certificate list to be sent,
345 * and return 0 on success. If no certificate was selected then the
346 * number of certificates should be set to zero. The value (-1)
347 * indicates error and the handshake will be terminated.
348 **/
349 void gnutls_certificate_client_set_retrieve_function
352 {
354 }
356 /**
357 * gnutls_certificate_server_set_retrieve_function:
358 * @cred: is a #gnutls_certificate_credentials_t structure.
359 * @func: is the callback function
360 *
361 * This function sets a callback to be called in order to retrieve the
362 * certificate to be used in the handshake.
363 * You are advised to use gnutls_certificate_set_retrieve_function2() because it
364 * is much more efficient in the processing it requires from gnutls.
365 *
366 * The callback's function prototype is:
367 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
368 *
369 * @st should contain the certificates and private keys.
370 *
371 * If the callback function is provided then gnutls will call it, in the
372 * handshake, after the certificate request message has been received.
373 *
374 * The callback function should set the certificate list to be sent, and
375 * return 0 on success. The value (-1) indicates error and the handshake
376 * will be terminated.
377 **/
378 void gnutls_certificate_server_set_retrieve_function
381 {
383 }
385 /**
386 * gnutls_certificate_set_retrieve_function:
387 * @cred: is a #gnutls_certificate_credentials_t structure.
388 * @func: is the callback function
389 *
390 * This function sets a callback to be called in order to retrieve the
391 * certificate to be used in the handshake. You are advised
392 * to use gnutls_certificate_set_retrieve_function2() because it
393 * is much more efficient in the processing it requires from gnutls.
394 *
395 * The callback's function prototype is:
396 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
397 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
398 *
399 * @req_ca_cert is only used in X.509 certificates.
400 * Contains a list with the CA names that the server considers trusted.
401 * Normally we should send a certificate that is signed
402 * by one of these CAs. These names are DER encoded. To get a more
403 * meaningful value use the function gnutls_x509_rdn_get().
404 *
405 * @pk_algos contains a list with server's acceptable signature algorithms.
406 * The certificate returned should support the server's given algorithms.
407 *
408 * @st should contain the certificates and private keys.
409 *
410 * If the callback function is provided then gnutls will call it, in the
411 * handshake, after the certificate request message has been received.
412 *
413 * In server side pk_algos and req_ca_dn are NULL.
414 *
415 * The callback function should set the certificate list to be sent,
416 * and return 0 on success. If no certificate was selected then the
417 * number of certificates should be set to zero. The value (-1)
418 * indicates error and the handshake will be terminated.
419 *
420 * Since: 3.0
421 **/
422 void gnutls_certificate_set_retrieve_function
425 {
427 }
429 /**
430 * gnutls_certificate_set_retrieve_function2:
431 * @cred: is a #gnutls_certificate_credentials_t structure.
432 * @func: is the callback function
433 *
434 * This function sets a callback to be called in order to retrieve the
435 * certificate to be used in the handshake.
436 *
437 * The callback's function prototype is:
438 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
439 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert,
440 * unsigned int *pcert_length, gnutls_privkey_t * pkey);
441 *
442 * @req_ca_cert is only used in X.509 certificates.
443 * Contains a list with the CA names that the server considers trusted.
444 * Normally we should send a certificate that is signed
445 * by one of these CAs. These names are DER encoded. To get a more
446 * meaningful value use the function gnutls_x509_rdn_get().
447 *
448 * @pk_algos contains a list with server's acceptable signature algorithms.
449 * The certificate returned should support the server's given algorithms.
450 *
451 * @pcert should contain a single certificate and public or a list of them.
452 *
453 * @pcert_length is the size of the previous list.
454 *
455 * @pkey is the private key.
456 *
457 * If the callback function is provided then gnutls will call it, in the
458 * handshake, after the certificate request message has been received.
459 *
460 * In server side pk_algos and req_ca_dn are NULL.
461 *
462 * The callback function should set the certificate list to be sent,
463 * and return 0 on success. If no certificate was selected then the
464 * number of certificates should be set to zero. The value (-1)
465 * indicates error and the handshake will be terminated.
466 *
467 * Since: 3.0
468 **/
469 void gnutls_certificate_set_retrieve_function2
472 {
474 }
476 /**
477 * gnutls_certificate_set_verify_function:
478 * @cred: is a #gnutls_certificate_credentials_t structure.
479 * @func: is the callback function
480 *
481 * This function sets a callback to be called when peer's certificate
482 * has been received in order to verify it on receipt rather than
483 * doing after the handshake is completed.
484 *
485 * The callback's function prototype is:
486 * int (*callback)(gnutls_session_t);
487 *
488 * If the callback function is provided then gnutls will call it, in the
489 * handshake, just after the certificate message has been received.
490 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
491 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
492 * can be used.
493 *
494 * The callback function should return 0 for the handshake to continue
495 * or non-zero to terminate.
496 *
497 * Since: 2.10.0
498 **/
499 void
500 gnutls_certificate_set_verify_function
503 {
505 }
507 /*-
508 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
509 * @cert: should contain an X.509 DER encoded certificate
510 *
511 * This function will return the certificate's activation time in UNIX time
512 * (ie seconds since 00:00:00 UTC January 1, 1970).
513 *
514 * Returns a (time_t) -1 in case of an error.
515 *
516 -*/
517 static time_t
519 {
520 gnutls_x509_crt_t xcert;
529 {
532 }
539 }
541 /*-
542 * gnutls_x509_extract_certificate_expiration_time:
543 * @cert: should contain an X.509 DER encoded certificate
544 *
545 * This function will return the certificate's expiration time in UNIX
546 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
547 *
548 * (time_t) -1 in case of an error.
549 *
550 -*/
551 static time_t
553 {
554 gnutls_x509_crt_t xcert;
563 {
566 }
573 }
575 #ifdef ENABLE_OPENPGP
576 /*-
577 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
578 * @session: is a gnutls session
579 *
580 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
581 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
582 -*/
583 static int
587 {
588 cert_auth_info_t info;
589 gnutls_certificate_credentials_t cred;
601 {
604 }
607 {
610 }
612 /* generate a list of gnutls_certs based on the auth info
613 * raw certs.
614 */
618 {
621 }
623 /* Verify certificate
624 */
625 ret =
630 {
633 }
636 }
637 #endif
639 /**
640 * gnutls_certificate_verify_peers2:
641 * @session: is a gnutls session
642 * @status: is the output of the verification
643 *
644 * This function will verify the peer's certificate and store
645 * the status in the @status variable as a bitwise or'd gnutls_certificate_status_t
646 * values or zero if the certificate is trusted. Note that value in @status
647 * is set only when the return value of this function is success (i.e, failure
648 * to trust a certificate does not imply a negative return value).
649 *
650 * If available the OCSP Certificate Status extension will be
651 * utilized by this function.
652 *
653 * To avoid denial of service attacks some
654 * default upper limits regarding the certificate key size and chain
655 * size are set. To override them use gnutls_certificate_set_verify_limits().
656 *
657 * Note that you must also check the peer's name in order to check if
658 * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname(),
659 * or use gnutls_certificate_verify_peers3().
660 *
661 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
662 **/
663 int
666 {
667 cert_auth_info_t info;
673 {
675 }
681 {
684 #ifdef ENABLE_OPENPGP
687 #endif
690 }
691 }
693 /**
694 * gnutls_certificate_verify_peers3:
695 * @session: is a gnutls session
696 * @hostname: is the expected name of the peer; may be %NULL
697 * @status: is the output of the verification
698 *
699 * This function will verify the peer's certificate and store the
700 * status in the @status variable as a bitwise or'd gnutls_certificate_status_t
701 * values or zero if the certificate is trusted. Note that value in @status
702 * is set only when the return value of this function is success (i.e, failure
703 * to trust a certificate does not imply a negative return value).
704 *
705 * If the @hostname provided is non-NULL then this function will compare
706 * the hostname in the certificate against the given. If they do not match
707 * the %GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set.
708 *
709 * If available the OCSP Certificate Status extension will be
710 * utilized by this function.
711 *
712 * To avoid denial of service attacks some
713 * default upper limits regarding the certificate key size and chain
714 * size are set. To override them use gnutls_certificate_set_verify_limits().
715 *
716 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
717 *
718 * Since: 3.1.4
719 **/
720 int
724 {
725 cert_auth_info_t info;
731 {
733 }
739 {
742 #ifdef ENABLE_OPENPGP
745 #endif
748 }
749 }
751 /**
752 * gnutls_certificate_expiration_time_peers:
753 * @session: is a gnutls session
754 *
755 * This function will return the peer's certificate expiration time.
756 *
757 * Returns: (time_t)-1 on error.
758 *
759 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
760 **/
761 time_t
763 {
764 cert_auth_info_t info;
770 {
772 }
775 {
778 }
781 {
783 return
786 #ifdef ENABLE_OPENPGP
788 return
789 _gnutls_openpgp_get_raw_key_expiration_time
791 #endif
794 }
795 }
797 /**
798 * gnutls_certificate_activation_time_peers:
799 * @session: is a gnutls session
800 *
801 * This function will return the peer's certificate activation time.
802 * This is the creation time for openpgp keys.
803 *
804 * Returns: (time_t)-1 on error.
805 *
806 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
807 **/
808 time_t
810 {
811 cert_auth_info_t info;
817 {
819 }
822 {
825 }
828 {
830 return
833 #ifdef ENABLE_OPENPGP
835 return
838 #endif
841 }
842 }
844 /**
845 * gnutls_sign_callback_set:
846 * @session: is a gnutls session
847 * @sign_func: function pointer to application's sign callback.
848 * @userdata: void pointer that will be passed to sign callback.
849 *
850 * Set the callback function. The function must have this prototype:
851 *
852 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
853 * void *userdata,
854 * gnutls_certificate_type_t cert_type,
855 * const gnutls_datum_t * cert,
856 * const gnutls_datum_t * hash,
857 * gnutls_datum_t * signature);
858 *
859 * The @userdata parameter is passed to the @sign_func verbatim, and
860 * can be used to store application-specific data needed in the
861 * callback function. See also gnutls_sign_callback_get().
862 *
863 * Deprecated: Use the PKCS 11 or #gnutls_privkey_t interfacess like gnutls_privkey_import_ext() instead.
864 **/
865 void
868 {
871 }
873 /**
874 * gnutls_sign_callback_get:
875 * @session: is a gnutls session
876 * @userdata: if non-%NULL, will be set to abstract callback pointer.
877 *
878 * Retrieve the callback function, and its userdata pointer.
879 *
880 * Returns: The function pointer set by gnutls_sign_callback_set(), or
881 * if not set, %NULL.
882 *
883 * Deprecated: Use the PKCS 11 interfaces instead.
884 **/
885 gnutls_sign_func
887 {
891 }
893 /* returns error if the certificate has different algorithm than
894 * the given key parameters.
895 */
896 int
898 {
903 {
906 }
909 }
911 /**
912 * gnutls_certificate_verification_status_print:
913 * @status: The status flags to be printed
914 * @type: The certificate type
915 * @out: Newly allocated datum with (0) terminated string.
916 * @flags: should be zero
917 *
918 * This function will pretty print the status of a verification
919 * process -- eg. the one obtained by gnutls_certificate_verify_peers3().
920 *
921 * The output @out needs to be deallocated using gnutls_free().
922 *
923 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
924 * negative error value.
925 *
926 * Since: 3.1.4
927 **/
928 int
930 gnutls_certificate_type_t type,
932 {
933 gnutls_buffer_st str;
940 else
944 {
959 }
961 {
969 }
975 _gnutls_buffer_append_str (&str, _("The certificate chain violates the signer's constraints. "));
987 _gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. "));
993 }